Kaiji Botnet Resurfaces, Unmasking Ares Hacking Group?

1. Overview

Recently, the Threat Monitoring System of QiAnXin Threat Intelligence Center monitored that a botnet written in GO language was spreading through multiple vulnerabilities. After analysis, it was confirmed that the sample belonged to the discovered botnet family Kaiji.

Kaiji botnet was exposed by MalwareMustDie in 2020, and then Intezer did an in-depth analysis about this malware. Its variant was also called Chaos by Black Lotus Labs (the Threat Intelligence division of Lumen Technologies). In July 2022, Sangfor Further Eye Lab published an article stating that the Kaiji botnet was being reconstructed. This year we found that the botnet had resurfaced and upgraded.

When correlating variants of Kaiji botnet, analysts accidentally discovered that the Kaiji botnet is related to a giant botnet rental group we are tracking — Ares.

2.Ares Group

2.1 Group Name

We named the hacking group “Ares” for three reasons. First we found that the creators who built the Kaiji variant called it “ares”. Second, the new variant configuration uses “[a=r=e=s]” as a separator. And last, recently we found that multiple assets of the hacking group were uniformly changed to the same login page, and in the page the group also calls itself “ Ares” and writes an English slogan “look before you leap”.